450 likes | 482 Views
Explore the evolving landscape of cybercrime, IT systems security, and information privacy. Learn from major historical cases and current trends shaping the internet era. Enhance your understanding of the risks and challenges in cyberspace. Take the survey to contribute to an undergraduate independent study project if interested.
E N D
Survey Link: https://tinyurl.com/ybfe9l63 Take this survery for an undergraduate independentstudy project if you so desire
CYBERCRIME! IT Systems Security and Information Privacy in the Internet Era What does it mean and why does it matter? Lecture 9
The only truly secure system is one that is powered off, cast in a block of concrete and sealed in a lead-lined room with armed guards - and even then I have my doubts. Dr. Eugene H. SpaffordPurdue University
So what is happening… … some major shifts are taking place • Consumers in open societies increasingly get enabled to do more themselves and the way they want it • Increasingly, technology makes it possible • Bad guys see it as an opportunity for personal, commercial or even political gains
Let’s take a look at the technological MacroTrends • Technological imperative - none other than Internet Protocol (IP) based network of essence…uniformity • Competitive imperative – a majority of financial services and many non-financial services can be delivered more cost efficiently via web technologies (eg. media distribution… Napster-style) • Customer demand - many new functions and services are not possible outside of Internet world while being a “natural” fit within it; consumers want them • “Catch the wave” – billions of $$ are being spent on web technologies and systems… no-one can win by betting against this trend… it is a good business practice to leverage other’s work • Standards - adoption of best practices and standards in retailing, network strategy and transaction processing is beneficial for companies, but introduces an interesting set of challenges
The world is more dangerous today • We are not dealing with a proprietary network anymore where each point was clearly identified but with Internet, involving: • Automation • Computer are good at dummy, repetitive tasks. The salami attack (stealing fractions of pennies from everyone’s interest accounts) is not feasible in the physical world. • Brute-force and DDoS attacks • Speed of propagation • Only the first attacker need to be skilled; everyone else can use his/her software. Currently dozens of sites let you download computer viruses, hacker tools are available on the net to exploit the software vulnerabilities in almost real time. • Attack at distance • Internet has no borders. Systems will have to prevent attacks from the worldwide criminals 24x7. • Very difficult to conduct investigation and prosecution
So, Welcome to Cyberspace • You are the target of someone !! • Computer Security Institute, 2000 report: 70% of the surveyed respondents acknowledge suffering from attacks (12% don’t know) • In this global economy • Information is the life’s blood of commerce and power • Information warfare may be devastating against critical infrastructures • Consumers can be (are!) easy targets • ALL successful businesses embrace new technologies • Cyberspace attacks benefit from Internet characteristics: automation – remote access - speed of propagation • Cyberspace has become the default place for commerce, communication, creativity and CRIME
The World Would Be a Secure Place Without People • Bottom 12% of population will commit crimes • Top 12% will never commit any crime • The middle 76% will commit crimes given the right opportunity
Those who we are supposed to Trust … the AUTHORISED Users… are sometimes the worst • Fact: Many security violations are committed or enabled by authorized users • Fact: 30% of network access permissions are allocated to non-existent users • Generic, multi-user accounts • Average damages from a single user attack over $2 Million • Fact: 70% of all intrusion investigations turn out to be internal
Recent History cases of special significance • In the last few years NASA, the CIA, the Whitehouse, IRS, Amazon, Doubleclick, Nitendo, McDonalds, New York Times, Egghead and dozens of other Web sites have been hacked • 2003 – Microsoft development servers are hacked resulting in the illegal copying of proprietary source code by offshore hackers • 2004- Choicepoint divulged private identity data on over 150,000 consumers to illegitimate subscribers who posed as legitimate businesses with the aid of an inside collaborator • 2007 – TJX Corp (parent of TJ Maxx) had an intrusion which resulted in over 100,000 CC transactions being stolen off their servers. • 2007 – 6 Individuals arrested in RI for placing counterfeit Pin Pads in retail locations that recorded CC numbers and pin numbers of consumers at Shop and Stop markets
TJX Corp U.S. Office of Personnel Mgmt. Target Democratic National Committee Home Depot Yahoo! …... JP Morgan Chase FBI Database Sony Entertainment Hilton Worldwide More Recent History (Tip of the Iceberg)
Attacker’s profile • Type of attackers • Hacker, cracker, infowarrior, vandals • Insiders (majority of attacks) • Organized crime, terrorists • State Sponsored Cyber Terrorists • Attacker’s motivations • Publicity / challenge • Financial gain and Fraud • Thrill • Revenge • Political Inst
How does it happen ? • Menu of threats… examples • Spoofing • Unauthorized access • Eavesdropping • Data alteration/replay • Repudiation of valid transactions • Software bugs (exploited; eg. buffer overflows) • Security devices not configured correctly leading to security holes • Distributed Denial of Services attacks and malware • E-mail, Web and phone scams, posting false info. • Social engineering • Human errors
What is at stake ? • We live by transacting with other economic agents… all our transactions can be seen, modified, fraudulently created • Other important data, including user’s data, programs, logs, archive, keys, business and technical electronic documents • Physical resources including computers, infrastructure, networks • Intellectual property, patents, know-how • Liability for the disclosure of confidential information (especially in Europe) • Disruption of key business activities and relationships (DDOS) • Brand, reputation and credibility
Cost of Cybercrime • Loss through theft or fraud • Loss due to business interruption • Loss of credibility by customers • Loss of Market Share • Cost of Prevention • Cost of Detection • Cost of Remediation • Cost of Monitoring
What’s happening out there? 2015 Stats Stats from IC3 (Internet Center Complaint Center)
Global Cost Norton Study Calculates Cost of Global Cybercrime: $114 Billion Annually One of World’s Largest Cybercrime Studies Reveals More Than One Million Victims a Day According to the Norton Cybercrime Report more than two thirds of online adults (69 percent) have been a victim of cybercrime in their lifetime. Every second 14 adults become a victim of cybercrime, resulting in more than one million cybercrime victims every day4. For the first time, the Norton Cybercrime Report reveals that 10 percent of adults online have experienced cybercrime on their mobile phone.
The Current Situation…and increasingly so…. • Decreasing privacy • Social Networks – Data Vacuum Cleaers Our personal information is the “blood” in the system We live in an Age of Auto Surveillance There is no statute of limitations on our digital lives Globalized Cybercrime Emergence of a Cyberspace Arms Race
Mobile under increasing attack • And the people most at risk are men ages 18 to 34 who use mobile devices to connect to the internet. In other words, PCs pose a broadly dangerous entry point for cybercriminals, but smartphones are worse. The information is especially troubling because people use smartphones with increasing frequency as the primary tools for their online work and play.The number of new malicious programs targeting the Android platform has almost trebled in the second quarter of the year, according to figures from Kaspersky Lab’s Q2 report on IT threat evolution. Over the three months in question, over 14,900 new malicious programs targeting this platform were added to Kaspersky Lab’s database. http://www.kaspersky.com/about/news/press/2012/Android_Under_Attack__Malware_Levels_for_Googles_OS_Rise_Threefold_in_Q2_2012
Let’s just face it… • The security perimeter is gone • Too many inter-connected networks & devices • Too many doors & windows from one environment to another to secure the network in the old-fashioned way • Today, difficult to say with certainty where one network/system ends and another • Due to complex series of interconnections, new/untested technology, people interactions, insecurity always remains => 100% security doesn’t exist
There are several important aspects, or tenets of security Identification/Authentication Authorization Privacy Information integrity Non-repudiation System Availability Security Enablers Encryption Digital Signatures Public Key Infrastructure Redundancy and Fault Tolerance Biometrics Virus and Malware Detection Security as a Discipline
What is Authentication ? • Answers the question “Who am I?” • Can be implemented with weak or strong methods but usually involves something you know, something you have, and/or something you are • User ID • Passwords • Other “secret” info • Digital Tokens or Certificates • Biometrics • It is the most common area of attack on IT systems because it opens so many other doors • Consumers are very vulnerable to attacks in this area because they are not very good at keeping secrets • Vulnerable to “Social Engineering”
Authentication • Process to positively identify a party participating in electronic interaction • Attempting to answer the question: • who are you (identify) • are you who you say you are (confirm) • Methods based on: • Who you are (…fingerprint, retina, DNA) • What you know (…password, PIN) • What you have (…cards, digital certificates) • Examples: • UserID/Passwords • Cards (mag-stripe and chip) • PINs • Biometrics • Digital Certificates
Sample Digital Token Token-Based Digital Identity
Currently used biometric technologies • Fingerprint verification • Hand geometry • Voice verification • Retinal scanning • Iris scanning • Signature verification • Facial verification • Keyboard Dynamics
Digital Certificates • Digital Certificates are digital files that are issued to you and are unique to you as an individual • In order to receive one, you must prove who you are to the Certificate Authority that issues the certificate to you • Certificates are issued in different “flavors” or strengths depending upon what they authorize you to do • The certificate may be used to digitally “sign” an electronic document and has the same legal status as your written signature
Weak vs. Strong Authentication • An example of “weak” authentication is: • Username and 4 character pin • Stronger authentication would be: • Username and 8 character alphanumeric password with no repeating characters Even Stronger authentication would be: Username + 16 character alphanumeric pw with no repeating characters + Biometric signature and/or a Digital Certificate
Authorization • Ensure that the right person has the access to the right resource • Access control lists… the most common means • Often used a back door to compromise the system (it is often easer to move up on the authorization ladder than to get on the ladder in the first place) • Social Engineering commonly used to “fake” authorization
Privacy • Keep data undecipherable to unauthorized persons • Not just about encryption • Not just about technology • Mostly about people (only people know the derived meaning of data) • And mostly about intentional misuse of personal data
Cryptography helps maintain privacy • To most people, cryptography is concerned with keeping communications private • Cryptology (from the Greek kryptós lógos, meaning ``hidden word'') • Encryption is the transformation of data into a form that is as close to impossible to read as possible without the appropriate knowledge (key) • Decryption is the reverse of encryption • Encryption and decryption generally require the use of some secret information, referred to as akey
Integrity • Keep data free from tampering • Not the same as privacy (do not need to understand the data to change it unnoticed) • Don’t need to know what was changed… just that it was changed • Checksums and digital watermarks are commonly used to detect integrity breaches
Non-repudiation • Provide legally binding proof that a certain transaction took place between certain actors • Three issues: • Data non-repudiation (what happened) • Party non-repudiation (who did it) • Trusted 3rd party certification (similar to an escrow service)
Availability of Service Issues • The popularity of the Internet has made Denial of Service a favorite pastime of certain hackers • Disruption of service due to worms and viruses • Hacking a website so as to make it unusable • File tampering and destruction
Identity Theft….a growing menace • Has become the number one complaint from consumers to Law enforcement dealing with cyberspace crimes • In the U.S. someone’s identity is stolen every 60 seconds at an average loss of over $6000 to the victim • Usually achieved with a combination of Social Engineering and hacking • Involves building a profile of the target from many possible sources and scams
Identity Theft • “What do they want?” • Your name • Date of Birth • Address • Telephone numbers • Driver's License • Credit card account number • Bank account number • Social Security Number Or any combination of the above!
Identity Theft • How do they get it? • Emails - “The Nigerian Letter” • Phishing • Pharming • Spoofing • Intercepting printed mail • Secret Spybots • Trojan Horses which capture your keystrokes on your PC and send them to the hacker!
Threats to the Internet Itself • What would happen to the global economy if someone successfully attacked the domain name servers that assign all of the internet addresses and URL’s • Worldwide Chaos • Huge business failures • Major disruption to every large national economy • Major disruption in government services • Consumer Panic similar to a stock market crash • Retailing, Travel, Banking, Insurance, Brokerage and News services all crippled • No more free downloads!
Security Utopia • An illusion is often propagated that the computer system is secure when there are: • Security guards + video system • A set of security policies and procedures • System backups + fire detection + UPS • Some smart software and hardware in place • Everything is placed in a locked vault…underground • When in fact this is just a first line of defense….. it is never enough….
A Quote for the Day…. • Secure web and email servers are the equivalent of heavy armored cars. The problem is, they are being used to transfer rolls of coins and checks written in crayon by people on park benches to merchants doing business in cardboard boxes from beneath highway bridges. Further, the roads are subject to random detours, anyone with a screwdriver can control the traffic lights, and there are no police.
take a look! hackmageddon.com http://www.justice.gov/criminal/cybercrime/cc.html http://www.computerworld.com/s/topic/82/Cybercrime+and+Hacking